Access Keys:
Skip to content (Access Key - 0)

Upgrade Authentication-Service

Step 0: Shutdown caGrid 1.3 Authentication Service

  1. Connect to your caGrid 1.3 Authentication Service server
  2. Shutdown your Tomcat Container 
     $ $CATALINA_HOME/bin/shutdown.sh

Step 1: Prepare Host

The caGrid 1.4 Training grid host was installed and configured according to the specifications listed on caGrid 1.4 Host Configuration page.

GlobalModelExchange specific requirements:

  1. Secure Container

Step 2: Prepare Configuration Files

Copy Authentication configuration files to new host.

  1. Download and extract https://wiki.cagrid.org/download/attachments/10617829/caGrid-1.4-Configs-NCI.zip.
    1. Copy <target_grid>/Authentication/authentication.properties to $HOME/tmp
    2. Copy <target_grid>/Authentication/.java.login.config to $HOME/tmp
    3. Copy <target_grid>/Authentication/serviceMetadata.xml to $HOME/tmp
  2. Edit authentication.properties
    1. Do Not Set gaards.authentication.csm.truststore
    2. Set gaards.authentication.saml.cert to the location of your host certificate (which will be created below): /home/<USER>/.cagrid/certificates/<HOST>-cert.pem
    3. Set gaards.authentication.saml.key to the location of your host key (which will be created below): /home/<USER>/.cagrid/certificates/<HOST>-key.pem
    4. Do Not Set gaards.authentication.saml.key.password

Step 3: Install caGrid Software and Configure a secure container

In this step you will use the installer to install and configure caGrid. Be sure to read the following blue info box for special instructions for step 11, 15 and 16 of the installer before proceeding.

Install caGrid and Configure a Secure Container Using the caGrid 1.4 Installer

At Step 11: Make sure you select the correct target grid for your installation
QA: NCI QA Grid for caGrid 1.4
Stage: NCI QA Grid for caGrid 1.4
Production: NCI QA Grid for caGrid 1.4
Training: Training Grid for caGrid 1.4

Step 15: The hostname must be the externally routable name. For example, the Training Grid Master GTS external hostname is mastergts.training.cagrid.org and internal is cagrid-1_3-training-master-gts.cagrid.org. We specified mastergts.training.cagrid.org when creating credentials.

Step 16: Select the option to create credentials with the GAARDS UI

  1. Start GAARDS UI 
      $ cd $CAGRID_HOME $ ant security
  2. Click the "Login" button.
    1. Enter user and password of a user with administration privileges.
  3. Open the "Host Certificate Management" panel via the "Account Management" menu -> Grid Account Management -> Host Certificate Management.
    1. Type "auth" in the Host field and click the "Search" button.
    2. Double-click the currently active Authentication-Service credential. This will open the 'Host Certificate' panel
    3. Select "compromised" from the Status drop down menu, then click "Update Certificate".
  4. Open the "Request Host Certificate" Panel via the "My Account" menu -> "Request Host Certificate".
    1. Type the externally routable hostname of the new Authentication-Service service in the "Host" field.
    2. The "Specify directory to Write Credentials" should be your griduser's /home/griduser/.cagrid/certificates directory. This will overwrite the previous credentials.
    3. Click "Request Certificate"
    4. Close the GAARDS UI

At this point, your should set the following environment variables. The last step of the installer provides the paths for these settings:

  1. CAGRID_HOME which points to the location of your 'caGrid' source directory
  2. ANT_HOME which points to the location of your apache-ant-1.7.0 directory
  3. JAVA_HOME which points to the location of your jdk1.6.0_* directory
  4. GLOBUS_LOCATION which points to the location of your ws-core-4.0.3 directory
  5. CATALINA_HOME which points to the location of your apache-tomcat-5.5.27 directory

Step 4: Configure Authentication with prepared configuration files

  1. Copy authentication.properties 
     $ cp $HOME/tmp/authentication.properties $CAGRID_HOME/projects/authentication-service/etc/.
  2. Copy serviceMetadata.xml 
     $ cp $HOME/tmp/serviceMetadata.xml $CAGRID_HOME/projects/authentication-service/etc/.
  3. Copy .java.login.config 
     $ cp $HOME/tmp/.java.login.config $HOME/.

Step 5: Install Authentication Service

Deploy Service

 $ cd $CAGRID_HOME/projects/authentication-service $ ant deployTomcat

Step 6: Start Tomcat

Start Tomcat as follows:

  $CATALINA_HOME/bin/startup.sh
Check the $CATALINA_HOME/logs/catalina.out file for any errors.

Step 7: Update the Trusted Identity Provider information in Dorian

Here we will update the existing information in Dorian about this Authentication Service as a Trusted Identity Provider, by providing Dorian with its URL and grid identity, such that Dorian clients may discover it automatically.

  1. Start GAARDS UI 
      $ cd $CAGRID_HOME 
    
$ ant security
    1. Open GAARDS Preferences to set target grid
      1. Open the GAARDS Preferences Panel via the "Window" menu -> Preferences.
      2. Double click the grid that you wish to configure, then click the Set Target Grid button
  2. Click the "Login" button.
  3. On the Menu bar, click "Account Management" -> "Grid Account Management" -> "Trusted Identity Provider(s)".
  4. In the Trusted Identity Provider(s) window, Click the "Search" button.
  5. Double-click the identity provider that you need to edit
  6. In the resulting window's "Accepted Athentication Mechanisms" box at the bottom, make sure that the "Unspecified" checkbox is selected.
  7. Click the "Authentication Service" tab.
    1. Provide the "Authentication Service URL" (e.g https://cagrid-auth-qa.nci.nih.gov:8443/wsrf/services/cagrid/AuthenticationService)
    2. Provide the "Authentication Service Identity" (e.g /O=caBIG/OU=caGrid/OU=QA LOA1/OU=Services/CN=cagrid-auth-qa.nci.nih.gov)
  8. Click the "Certificate" tab.
    1. Click the "Import Certificate" button at the bottom
    2. Browse to the certificate that you created for this host.
      Example: /home/<user>/.cacrid/certificates/<host>-cert.pem
      The Java file browser on Mac doesn't let you browse to directories that start with a ".". You may have to copy your certificate to another location for this step.
  9. Click "Update".

Step 8: Validate

You can test that you Identity Provider has been successfully integrated by logging onto the Grid you are configuring. To do so complete the following steps:

  1. Start GAARDS UI 
      $ cd $CAGRID_HOME 
    
$ ant security
    1. Open GAARDS Preferences to set target grid
      1. Open the GAARDS Preferences Panel via the "Window" menu -> Preferences.
      2. Double click the grid that you wish to configure, then click the Set Target Grid button
    2. Click the "Login" button.
      1. From the Authority drop down select the appropriate Dorian for your grid (e.g caBIG QA)
      2. From the Organization drop down select the Authentication Service that you just installed.
      3. In the User Id text field enter you user id assigned to you by your Identity Provider.
      4. In the Password text field enter you password.
      5. Click the Login button, this will 1) authenticate you with your Identity Provider, 2) obtain a SAML Assertion from your Identity Provider, and 3) contact Dorian using the SAML Assertion to facilitate the creation of a grid proxy. Once the grid proxy is created the Create Proxy window closes and the Proxy Manager window opens with the newly created proxy shown.

If you are able to successfully login and obtain a Grid proxy your Identity Provider has been successfully integrated with the Training Grid.

Step 9: Configure Authentication to Start Automatically

For the Authentication service to be available upon reboot of your server Tomcat must be configured to start automatically.

Tomcat

  1. Configure Tomcat to start automatically: http://tomcat.apache.org/tomcat-5.5-doc/setup.html

Step 10: Update DNS, as necessary, to point to new Authentication instance
Last edited by
William Stephens (633 days ago) , ...
Adaptavist Theme Builder Powered by Atlassian Confluence